0

I'm trying to setup a GRE tunnel for an anti-dos solution for my Minecraft hosting.

Server A is the server which forwards the connections to the backend server. Server B is the backend server.

Whenever I connect to a normal Minecraft server on server B through server A, it works as expected.

But when trying to connect to a Minecraft server through a bungeecord (proxy) server, with server A's public/external ip address, then it won't forward the connection. It will, however, connect if I use server B's public/external ip address (it will use lo). But using this will of course render the entire anti-dos pointless.

So my question, how do I make it possible to forward the connection when using server A's public/external ip address for the bungeecord (proxy) and Minecraft server

I used this Hetzner guide to setup the GRE tunnel.

All minecraft instances are running in Pterodactyl, and also docker, The docker containers run in host network mode.

Active iptables, ip addr, rule and rout on server A:

root@tnode1:~# iptables -L
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             10.2.0.2             state NEW,RELATED,ESTABLISHED
ACCEPT     all  --  10.2.0.2             anywhere             state NEW,RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
root@tnode1:~# iptables -t nat -L
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  anywhere             vps-9cb92e40.vps.ovh.net  tcp dpts:25565:65535 to:10.2.0.2
DNAT       udp  --  anywhere             vps-9cb92e40.vps.ovh.net  udp dpts:25565:65535 to:10.2.0.2

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  10.2.0.0/30          anywhere             to:external.ip.server.a
root@tnode1:~# iptables -t mangle -L
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
root@tnode1:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether fa:16:3e:f4:a7:2f brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    inet external.ip.server.a/sub brd broadcast.ip.server.a scope global ens3
       valid_lft forever preferred_lft forever
3: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1000
    link/gre 0.0.0.0 brd 0.0.0.0
4: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
5: erspan0@NONE: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
6: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1000
    link/gre external.ip.server.a peer external.ip.server.b
    inet 10.2.0.1/30 scope global gre1
       valid_lft forever preferred_lft forever
root@tnode1:~# ip rule
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default
root@tnode1:~# ip route
default via default.gateway.server.a dev ens3 onlink
10.2.0.0/30 dev gre1 proto kernel scope link src 10.2.0.1

Active iptables, ip addr, rule and rout on server B:

root@node1:~# iptables -L
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (1 references)
target     prot opt source               destination

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
root@node1:~# iptables -t nat -L
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
DOCKER     all  --  anywhere            !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  172.17.0.0/16        anywhere

Chain DOCKER (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
root@node1:~# iptables -t mangle -L
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
root@node1:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: enp8s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether a8:a1:59:94:15:bc brd ff:ff:ff:ff:ff:ff
    inet external.ip.server.b/sub brd broadcast.ip.server.b scope global enp8s0
       valid_lft forever preferred_lft forever
3: enp8s0.4000@enp8s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1400 qdisc noqueue state UP group default qlen 1000
    link/ether a8:a1:59:94:15:bc brd ff:ff:ff:ff:ff:ff
    inet 10.1.0.2/24 brd 10.1.0.255 scope global enp8s0.4000
       valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:a3:d6:7d:49 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
5: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1000
    link/gre 0.0.0.0 brd 0.0.0.0
6: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
7: erspan0@NONE: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
8: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1000
    link/gre external.ip.server.b peer external.ip.server.a
    inet 10.2.0.2/30 scope global gre1
       valid_lft forever preferred_lft forever
root@node1:~# ip rule
0:      from all lookup local
32765:  from 10.2.0.0/30 lookup GRE
32766:  from all lookup main
32767:  from all lookup default
root@node1:~# ip route
default via default.gateway.server.b dev enp8s0 onlink
10.0.0.0/16 via 10.1.0.1 dev enp8s0.4000
10.1.0.0/24 dev enp8s0.4000 proto kernel scope link src 10.1.0.2
10.2.0.0/30 dev gre1 proto kernel scope link src 10.2.0.2
default.gateway.server.b/sub dev enp8s0 proto kernel scope link src external.ip.server.b
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown

I've been working on this for a few days now, does anyone know a solution to this? Thanks in advanced!

sidboy55555
  • 1
  • 1
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/139111/discussion-on-question-by-sidboy55555-gre-tunnel-doesnt-forward-connection-from). – Ward - Reinstate Monica Sep 10 '22 at 02:38

0 Answers0